b'MANAGEMENT AND PERFORMANCE CHALLENGES\nIn keeping with the Reports Consolidation Act, the OIG has identified the following management\nand performance challenges facing the Corporation.1 Each of the challenges we have identified\nis marked by one or more of the following characteristics:\n\n         1. It is important to the achievement of the FDIC mission and the strength of the\n            nation\xe2\x80\x99s financial system.\n         2. It involves significant resources, expenditures, or fiduciary responsibility.\n         3. It directly impacts consumers of financial services.\n\nThe following challenges reflect the OIG\xe2\x80\x99s view of the Corporation\xe2\x80\x99s overall program and\noperational responsibilities; industry, economic, and technological trends; areas of\ncongressional interest; relevant laws and regulations; the Chairman\xe2\x80\x99s priorities and\ncorresponding corporate performance and Government Performance and Results Act goals;\nand the ongoing activities to address the issues involved.\n\n         \xe2\x99\xa6 Assessing and Mitigating Risks to the Insurance Funds\n         \xe2\x99\xa6 Ensuring Institution Safety and Soundness Through Effective Examinations,\n           Enforcement, and Follow-Up\n         \xe2\x99\xa6 Contributing to Public Confidence in Insured Depository Institutions\n         \xe2\x99\xa6 Protecting and Educating Consumers and Ensuring Compliance\n         \xe2\x99\xa6 Being Ready for Potential Institution Failures\n         \xe2\x99\xa6 Managing and Protecting Financial, Human, Information Technology, and\n           Procurement Resources\n\n\nASSESSING AND MITIGATING RISKS TO THE INSURANCE FUNDS\nAs of the end of the third quarter of 2005, the FDIC insured $3.830 trillion in deposits in 8,856\ninstitutions. According to FDIC projections, if the current trend of industry consolidation\ncontinues, the banks the FDIC directly supervises will likely represent a smaller and smaller\nportion of the financial exposure it faces as deposit insurer. Also, another potential risk has\nbecome apparent as a result of recent natural disasters\xe2\x80\x94multiple bank failures in a geographic\nregion. Given these circumstances, the Corporation faces several challenges:\n\nAssessing Risks in Large Banks: To effectively fulfill its fundamental responsibilities as\ndeposit insurer, the Corporation must ensure its large-bank program provides ready access to\nthe information it needs to effectively identify and assess risks that large institutions, including\nthose it does not supervise, pose to the insurance funds. Effectively communicating and\ncoordinating with the other primary federal banking regulators is central to the Corporation\xe2\x80\x99s\nability to meet this challenge. Moreover, given the inherent complexity of these large\ninstitutions, the FDIC must have or develop the capability to assess the risks associated with\nthese institutions, which are different from those found in smaller banks. As the FDIC and other\n\n1\n  Under the Reports Consolidation Act, the OIG is required to identify the most significant management and\nperformance challenges facing the Corporation and provide its assessment to the Corporation for inclusion in its\nannual performance and accountability report (annual report). The OIG conducts this assessment yearly and\nidentifies a number of specific areas of challenge facing the Corporation at the time.\n\x0cregulators are evaluating policy options to ensure that large institutions and the industry as a\nwhole maintain adequate capital and reserves under Basel II, the FDIC must ensure that its staff\nhas the necessary information and expertise to understand and evaluate the adequacy of the\nlargest institutions\xe2\x80\x99 capital models. The possibility of a large bank failure, however remote,\nlooms as a significant challenge confronting the FDIC.\n\nMonitoring Risks from Recent Natural Disasters: The FDIC and the other primary federal\nregulators have long emphasized the importance of disaster recovery and business continuity\nplanning at insured depository institutions. While the focus of September 11 was on terrorist\nattacks and related disruption of commercial activities, recent natural disasters have added a\nnew dimension to the risks associated with major regional crises. While initial indications from\nthe FDIC are that the banking industry has initially fared well through the latest natural disasters,\nconsiderable risk remains over the long term to affected institutions and, in turn, the insurance\nfunds. For example, the impact, if any, of relaxing examination and other regulatory\nrequirements will likely not be plainly visible for many months.\n\nPreparing for Deposit Insurance Reform: The FDIC has been working with the Congress\nover the past several years on a comprehensive deposit insurance reform package. If enacted,\nthe FDIC will be faced with managing the funds under the current system while transitioning\nunder tight time constraints to a new fund structure and premium system. Implementation of\noperational changes may result from deposit insurance reform.\n\n\nENSURING INSTITUTION SAFETY AND SOUNDNESS THROUGH EFFECTIVE\nEXAMINATIONS, ENFORCEMENT, AND FOLLOW-UP\nSupervision is a cornerstone of the FDIC\xe2\x80\x99s efforts to ensure stability and public confidence in the\nnation\xe2\x80\x99s financial system. As of September 30, 2005, the FDIC was the primary federal\nregulator for more than 5,250 institutions. The FDIC performs safety and soundness, Bank\nSecrecy Act (BSA), information technology, trust, and other types of examinations of FDIC-\nsupervised insured depository institutions. The Corporation\xe2\x80\x99s system of supervisory controls\nmust identify and effectively address financial institution activities that are unsafe, unsound,\nillegal, or improper before the activities cause a drain on the insurance funds. Specific\nchallenges related to this core FDIC mission include:\n\nMaintaining an Effective Examination and Supervision Program: The FDIC has adopted a\nmore risk-focused approach to examinations to minimize regulatory burden and better direct its\nresources to those areas that carry the greatest potential risk. The FDIC must continue to\nmonitor the effectiveness of its risk-focused procedures and any related resource reductions to\nensure that this approach does not compromise examination quality or results. The FDIC must\nalso ensure that financial institutions have adequate corporate governance structures relative to\nthe bank\xe2\x80\x99s size, complexity, and risk profile to prevent financial losses and maintain confidence\nin those entrusted with operating the institutions. The FDIC\xe2\x80\x99s follow-up processes must be\neffective to ensure institutions are promptly complying with supervisory actions that arise as a\nresult of the FDIC\xe2\x80\x99s examination process.\n\nSupervising Industrial Loan Companies: The FDIC is the primary federal regulator for a\nnumber of industrial loan companies (ILCs), which are insured depository institutions owned by\norganizations that, as bank holding companies, are subject to a different supervisory regimen\nwhen compared to other bank holding companies. The ILC industry includes large, complex\n\n\n\n                                                 2\n\x0cfinancial institutions. The FDIC must establish and maintain effective controls in its processes\nfor granting insurance to, supervising, and examining ILCs and their parent companies,\nparticularly in cases where consolidated supervision is not provided by another federal\nregulator.\n\n\nCONTRIBUTING TO PUBLIC CONFIDENCE IN INSURED DEPOSITORY INSTITUTIONS\nGuarding Against Financial Crimes in Insured Institutions: All financial institutions are at\nrisk of being used to facilitate or being victimized by criminal activities including money\nlaundering and terrorist financing. Such activities serve to undermine public confidence in the\ninstitutions. The Corporation is faced with developing and implementing programs to minimize\nthe extent to which the institutions it supervises are involved in or victims of financial crimes and\nother abuse. The challenge is to facilitate the effective implementation of regulatory reporting\nrequirements without imposing any undue regulatory burden. Examiners must also be alert to\nthe possibility of fraudulent activity in financial institutions, which is inherently difficult because\nfraud is both purposeful and hard to detect.\n\nPart of the FDIC\xe2\x80\x99s overall responsibility and authority to examine banks for safety and\nsoundness is the responsibility for examining state-chartered non-member financial institutions\nfor compliance with the Bank Secrecy Act. The BSA requires financial institutions to keep\nrecords and file reports on certain financial transactions. FDIC-supervised institutions are\nrequired to establish and maintain procedures designed to assure and monitor compliance with\nthe BSA requirements. An institution\xe2\x80\x99s level of risk for potential money laundering determines\nthe necessary scope of the BSA examination. In its role as supervisor, the FDIC also analyzes\ndata security threats, occurrences of bank security breaches, and incidents of electronic crime\nthat involve financial institutions. Misuse and misappropriation of personal information are\nemerging as major developments in financial crime. Despite generally strong controls and\npractices by financial institutions, methods for stealing personal data and committing fraud with\nthat data are continuously evolving. The FDIC must continue its work in assuring the security of\ncustomer data against such criminal activity to help maintain the public\xe2\x80\x99s trust in the banking\nsystem.\n\n\nPROTECTING AND EDUCATING CONSUMERS AND ENSURING COMPLIANCE\nThe FDIC protects consumers through its oversight of a variety of statutory and regulatory\nrequirements aimed at safeguarding consumers from unfair and unscrupulous banking\npractices. Through community outreach efforts and technical assistance, the FDIC encourages\nlenders to work with members of their local communities in meeting the communities\xe2\x80\x99 credit\nneeds. Specific challenges include:\n\nProtecting Consumer Privacy: The FDIC implements regulations and conducts regularly\nscheduled examinations to verify that institutions comply with laws designed to protect personal\ninformation, which serve to guard against the growing threat of identity theft. The FDIC\nevaluates the adequacy of financial institutions\xe2\x80\x99 programs for securing customer data and may\npursue informal or formal supervisory action if it finds a deficiency.\n\nEducating the Public and Handling Complaints: The FDIC has made it a priority to impart\nfinancial education to the millions of Americans who lack basic financial skills. The\n\n\n\n                                                   3\n\x0cCorporation\xe2\x80\x99s challenge is to join with its regulatory counterparts to effectively implement\nprograms that help integrate into the financial system the large number of households that are\nisolated from the opportunity to establish credit, own a home, and build a better future for their\nfamilies.\n\nRegulating Lending Practices: The FDIC\xe2\x80\x99s programs of supervision and education can help\nprevent abusive lending practices that target the financially illiterate or disadvantaged. The\nFDIC must evaluate laws and implement regulations to find ways to curb these lending\npractices, while ensuring continued access to credit for the widest range of qualified customers\nand protection against the abuse of vulnerable individuals. The challenge is to balance the\nneed for regulation with avoiding inappropriate or undue interference in legitimate business\nactivities.\n\nEnsuring compliance with laws and regulations: The FDIC is responsible for evaluating\nfinancial institution compliance with consumer protection laws and regulations. Such laws\ninclude, for example, the Community Reinvestment Act, Home Mortgage Disclosure Act, and\nFair Credit Reporting Act. In June 2003, the FDIC revised its compliance examination program.\nCompliance examinations now combine a risk-based examination process with an in-depth\nevaluation of an institution\xe2\x80\x99s compliance management system, resulting in a top-down, risk-\nfocused approach to examinations. The Corporation\xe2\x80\x99s challenge is to ensure that the new\napproach makes the examination process more effective and efficient and reduces the\nexamination burden on banks.\n\n\nBEING READY FOR POTENTIAL INSTITUTION FAILURES\nThe FDIC is responsible for the resolution of failed banks or savings associations. The\nCorporation is required by law to protect taxpayers by prudently managing the Bank Insurance\nFund and the Savings Association Insurance Fund and to protect insured depositors by using\nthe assets of the funds to pay insured deposits at the time of the institution failure. The trend\ntoward fewer failures over the past few years changes the nature of the challenge for the FDIC.\nPlanning for failing and failed institutions, including large or multiple bank failures, needs to be\nevaluated, revisited, and tested for adequacy in light of FDIC downsizing activities and\ncorresponding loss of institutional knowledge and expertise. Catastrophic events such as the\nmultiple hurricanes that occurred during the past year underscore the need for the Corporation\xe2\x80\x99s\nreadiness to respond.\n\n\nMANAGING AND PROTECTING FINANCIAL, HUMAN, INFORMATION TECHNOLOGY,\nAND PROCUREMENT RESOURCES\n\nThe FDIC must effectively manage and utilize a number of critical strategic resources in order to\ncarry out its mission successfully, particularly its financial, human, information technology (IT),\nand procurement resources. The FDIC has emphasized its stewardship responsibilities in its\nstrategic planning process. A number of key management activities pose governance\nchallenges to corporate executives and managers, as discussed below:\n\nFinancial Resource and Capital Investment Management: The FDIC\xe2\x80\x99s operating expenses\nare largely paid from the insurance funds, and consistent with good corporate governance\nprinciples, the Corporation must continuously seek to improve its operational efficiency.\n\n\n                                                 4\n\x0cBecause 65 percent of the FDIC\xe2\x80\x99s budget costs are personnel-related, a challenge to the\nCorporation is to ensure that budgeted resources are properly aligned with workload. With\nrespect to capital investments, effective planning and management of IT and non-IT capital\ninvestments are mandated by Congress and by the Office of Management and Budget for most\nfederal agencies. Although many of these laws and executive orders are not legally binding on\nthe FDIC, the Corporation recognizes that they constitute best practices and has adopted them\nin whole, or in part. The underlying challenge is to carry out approved investment projects on\ntime and within budget, while realizing anticipated benefits.\n\nHuman Capital Management: In the past several years, the FDIC has undergone significant\nrestructuring and downsizing in response to changes in the industry, technological advances,\nand business process improvements and, as with many government agencies, the FDIC\nanticipates a high level of retirement in the next 5 years. Amidst such change, the Corporation\nmust seek to maintain employee morale and positive employee-management relationships. To\nthat end, the FDIC formulated a human capital strategy to guide the FDIC through the rest of\nthis decade. A key part of its human capital strategy is the Corporate Employee Program\ndesigned to help create a more adaptable permanent workforce and that reflects a more\ncollaborative and corporate approach to meeting critical mission functions. The challenge now\nis implementing its strategy and monitoring the success of related human capital initiatives and\nprograms. Additionally, developing new leaders and engaging in succession planning pose a\nchallenge. Finally, in an age of identity theft risks, the FDIC needs to maintain effective controls\nto protect personal employee-related information that the Corporation possesses. The\nappointment of a chief privacy officer and implementation of a privacy program are positive\nsteps toward addressing that challenge.\n\nInformation Technology Management: The FDIC seeks to maximize its IT resources to\nimprove the efficiency and effectiveness of its operational processes. The Corporation\xe2\x80\x99s IT\ntransformation initiative targets three broad areas of challenge:\n\n       \xe2\x99\xa6 Governance and process improvements that focus on making strategic alignment a\n         requirement for all IT work.\n       \xe2\x99\xa6 Technical improvements to continue to replace/upgrade critical components of the IT\n         infrastructure.\n       \xe2\x99\xa6 Organizational changes to better align IT resources with workload, flatten the\n         organizational structure, and improve communication with customers.\n\nTo address these broad challenges, the FDIC is embracing a capability maturity model to\nimprove long-term business performance; employing a new system-development life cycle\nmethodology to minimize risk, provide more predictable results, and deliver high-quality systems\non time and within budget; and continuing to enhance its Enterprise Architecture (EA) program\nby identifying duplicative resources/investments and opportunities for internal and external\ncollaboration to promote operational improvements and cost-effective solutions to business\nrequirements.\n\nThe establishment of an integrated and streamlined e-government infrastructure is a key\ncomponent of the Corporation\xe2\x80\x99s target EA. In this regard, the Corporation has initiated a\nnumber of major projects designed to improve internal operations, communications, and service\nto members of the public, business, and other government entities. The challenge is to ensure\nthat such projects are consistent with e-government principles and implementing guidance from\n\n\n\n\n                                                 5\n\x0cthe Office of Management and Budget, most recently guidance that is related to the use of\nearned value management.\n\nSecurity Management\xe2\x80\x94IT and Physical: The FDIC recognizes that a robust information\nsecurity program requires an ongoing commitment by the organization. The OIG\xe2\x80\x99s 2005 Federal\nInformation Security Management Act evaluation results showed that the Corporation had\nestablished and implemented controls in all of the management control areas assessed that\nprovided either limited or reasonable assurance of adequate security over its information\nresources. Still, attention was needed in certain areas such as information security risk\nmanagement, oversight of contractors with access to sensitive data and systems, and\nimplementation of an enterprise security architecture.\n\nAdditionally, following Y2K and in light of terrorist-related disruptions and, more recently,\nadverse impacts of natural disasters, the importance of corporate disaster recovery and\nbusiness continuity planning has been underscored and elevated to an enterprise-wide level.\nSuch planning involves more than the recovery of the technology; it involves the recovery of the\nentire business. The FDIC must be sure that its Emergency Preparedness Program provides\nfor the safety and physical security of its personnel and ensures that its critical business\nfunctions remain operational during any emergency.\n\nProcurement Management: With corporate downsizing has come, in many instances,\nincreased reliance on contracted services and potential increased exposure to risk if contracts\nare not managed properly. Processes and related controls for identifying needed goods and\nservices, acquiring them, and monitoring contractors after the contract award must be in place\nand work effectively. Many employees with contracting expertise have left the Corporation and\ncontract management responsibilities have shifted. Also, a number of new contracting vehicles\nand approaches are being implemented. For example, the Corporation combined\napproximately 40 IT-related contracts into one contract with multiple vendors for a total program\nvalue of $555 million over 10 years. Also, for the first time, it is using a large technical\ninfrastructure contract through the General Services Administration (GSA) valued at over $300\nmillion. Along with the expected benefits of these contracts come challenges. The Corporation\nhas not previously outsourced a procurement process to GSA, and both new contracts are\nperformance-based, requiring different oversight mechanisms and strategies than the time and\nmaterials contracts that the Corporation has historically used.\n\nEnterprise Risk Management: As an integral part of its stewardship of the insurance funds, the\nFDIC has established a risk management and internal control program. The Corporation has\ncommitted to adopting an Enterprise Risk Management approach to identifying and analyzing\nrisks on an integrated, corporate-wide basis. Revised OMB Circular A-123, which became\neffective for fiscal year 2006, requires a strengthened process for conducting management\xe2\x80\x99s\nassessment of the effectiveness of internal control over financial reporting. The circular also\nemphasizes the need for agencies to integrate and coordinate internal control assessments with\nother internal control-related activities, and ensure that an appropriate balance exists between\nthe strength of controls and the relative risk associated with particular programs and operations.\n\n\n\n\n                                                6\n\x0c'